Download:
pdf |
pdfU.S. DEPARTMENT OF AGRICULTURE
WASHINGTON, DC 20250
DEPARTMENTAL REGULATION
SUBJECT:
DATE:
Common Identification Standard for U.S.
Department of Agriculture Employees and
Contractors
January 14, 2009
Number:
4620-002
OPI:
Office of Security Services
(OSS)
Section
1
2
3
4
5
6
Appendix A
Appendix B
Appendix C
1.
Page
Purpose
Background
Special Instructions/Cancellations
Policy
Credential Issuance
Roles and Responsibilities
Definitions
Acronyms
HSPD-12 Source Documents
1
1
2
2
3
3
A-1
B-1
C-1
PURPOSE
This regulation prescribes the policies, roles, and responsibilities necessary to
implement Homeland Security Presidential Directive (HSPD) 12, Common
Identification Standard for Federal Employees and Contractors.
2.
BACKGROUND
HSPD-12 establishes the general requirements for a common Federal identification
system. The President has mandated that all Federal departments provide a process
for identity proofing and credentialing employees and contractors to increase
security and provide greater interoperability between departments and Federal
facilities.
For further information on HSPD-12 and its related requirements and standards,
please see sources in Appendix C.
�DR 4620-002
3.
January 14, 2009
SPECIAL INSTRUCTIONS/CANCELLATIONS
HSPD-12 applies to all employees, as defined in title 5 U.S.C §2105 “Employee,”
within a department or agency. Further defined by Executive Order (EO) 12968,
“Employee” means a person, other than the President and Vice President, employed
by, detailed or assigned to, USDA, including members of the Armed Forces; an
expert or consultant to USDA; an industrial or commercial contractor, licensee,
certificate holder, or grantee of USDA, including all subcontractors; a personal
services contractor; or any other category of person who acts on behalf of an agency
as determined by the agency head. In addition, all contractors requiring routine
access to Federally controlled facilities and/or Federally controlled information
systems will be subject to HSPD-12 requirements.
No provision in this regulation shall have the effect of nullifying or limiting
protections for equal employment opportunity as defined under Title VII of the
Civil Rights Act, 42 U.S.C. 3535(d), or Executive Order 11478. The U.S.
Department of Agriculture (USDA) prohibits discrimination in all its programs and
activities on the basis of race, color, national origin, age, disability, and where
applicable, sex, marital status, familial status, parental status, religion, sexual
orientation, genetic information, political beliefs, reprisal, or because all or a part of
an individual's income is derived from any public assistance program. (Not all
prohibited bases apply to all programs.) Persons with disabilities who require
alternative means for communication of program information (Braille, large print,
audiotape, etc.) should contact USDA's TARGET Center at (202) 720-2600 (voice
and TDD). To file a complaint of discrimination write to USDA, Director, Office of
Civil Rights, 1400 Independence Avenue, S.W., Washington, DC 20250-9410 or
call 1-800-795-3272 (voice) or (202) 720-6382 (TDD). USDA is an equal
opportunity provider and employer.
The 2002 Federal Information Security Management Act (FISMA) does not permit
waivers to the Federal Information Processing Standard (FIPS) 201-1 standards.
This regulation cancels DR 4620-1 dated February 26, 1995.
4.
POLICY
Departmental agencies must comply with HSPD-12 for all applicable USDA
employees and contractors who work for USDA. Detailed procedures are described
in Departmental Manual (DM) 4620-002.
a.
Agencies must implement the standard procedures in FIPS 201-1, the NIST
Special Publication (SP) series related to HSPD-12, and DM 4620-002.
b.
All employees hired under Title 5 USC, Farm Services Agency (FSA) county
employees and others defined by Executive Order (EO) 12968, will be
2
�January 14, 2009
DR 4620-002
required to follow procedures in FIPS 201-1, the NIST Special Publication
(SP) series related to HSPD-12, and DM 4620-002, if they require routine
access to USDA controlled facilities and/or information systems.
5.
c.
All contractors working for USDA will be required to follow procedures in
FIPS 201-1, the NIST Special Publication (SP) series related to HSPD-12, and
DM 4620-002 if they require routine access to USDA controlled facilities
and/or information systems.
d.
All USDA employees who are stationed outside the United States at
Government facilities and/or have access to information systems will be
issued credentials by the Department of State for their overseas work areas.
They are eligible for a LincPass when requested.
CREDENTIAL ISSUANCE
Credentials will be issued in the following order: 1) those located in National
Capital Region (NCR); 2) those located in USDA Mission Critical Facilities (MCF)
and major metropolitan area facilities; and 3) all remaining field locations.
6.
ROLES AND RESPONSIBILITIES
a.
b.
The Office of the Chief Information Officer (OCIO) will:
(1)
Establish, in consultation with the Office of Security Services (OSS),
policies, standards, and procedures for implementing and administering
the Personal Identity Verification program throughout the Department.
(2)
Provide guidance to agencies to ensure that the IT infrastructure is
compatible with the GSA Shared Services Solution which provides
USDA with a system to enroll, print and activate LincPass smartcards to
eligible individuals to meet HSPD-12 requirements.
(3)
Create requirements for the development of an enterprise Logical Access
Control System (LACS), and build and maintain centralized LACS
according to requirements.
(4)
Assist OSS with maintaining an enterprise Physical Access Control
System (ePACS) infrastructure and connectivity.
(5)
Ensure personal information collected for employee and contractor
identification purposes is handled consistent with the Privacy Act of
1974 (5 U.S.C. § 552a) and all FISMA requirements.
Departmental Administration – Office of Security Services (OSS) will:
3
�DR 4620-002
c.
January 14, 2009
(1)
Establish, in consultation with the Office of the Chief Information
Officer (OCIO), policies, standards, and procedures for implementing
and administering the PIV program throughout the Department.
(2)
Develop and implement policies and procedures to support the
registration and identity proofing of contract employees, and to ensure
initiation and adjudication of contract employee background checks
(National Agency Check with Inquiries (NACI)).
(3)
Assist agencies in determining if previous NACI, Public Trust or
National Security Clearance background investigations were
successfully adjudicated.
(4)
Create requirements for the development of an ePACS to centrally
support agency PACS; build and administer an ePACS according to
requirements.
(5)
Be responsible for the physical access control system for all USDA
facilities within the NCR. Continue to support all facilities as previously
required.
(6)
Develop a master plan for initial implementation and credential
issuance.
Departmental Administration – Office of Human Capital Management
(OHCM) will:
(1)
Develop policies and procedures to ensure that agency Human
Resources staff that in-process new employees capture all information
required for HSPD-12 enrollment,
(2)
Develop policies and procedures to ensure a background investigation
(NACI) has been initiated and successfully adjudicated.
(3)
Determine the position sensitivity designation for all applicant positions,
and ensure the employee has the appropriate background investigation
commensurate with that determination.
(4)
Remove from Federal service any employee denied a LincPass. The
appeal process for a removal from federal service is already established
in law and regulation (Title 5, U.S.C. and Title 5, C.F.R.); employees
can appeal to the Merit Systems Protection Board.
4
�January 14, 2009
(5)
d.
e.
DR 4620-002
Post to the public Web site a quarterly report on the number of PIV
credentials issued to employees as required by OMB.
Departmental Administration – Office of Procurement and Property
Management (OPPM) will:
(1)
Provide HSPD-12 procurement and contracting guidance to the agencies
and to the acquisition workforce.
(2)
Provide HSPD-12 guidance to agencies regarding the use and
functionality of the Non-Employee Information System (NEIS).
(3)
Support sponsorship training module development.
(4)
Support OSS in development of roles and responsibilities for contractors
and other non- Title 5 employees including establishment and
implementation of appeal and removal procedures for contractors denied
a LincPass, in accordance with DM 4620-002.
(5)
Review and distribute HSPD-12 relevant information to agency
procurement operations as additional system requirements and
operational procedures are defined by OPPM Personnel and Document
Security Division and OCIO.
The Agencies will:
(1)
Comply with NIST’s FIPS 201-1, the NIST Special Publication series
related to HSPD-12, and Departmental Manual 4620-002.
(2)
Comply with Departmental policies and procedures to support
registration, identity proofing, and issuing LincPasses and other
appropriate badges.
(3)
Prepare and validate data to be loaded into the GSA Shared Services
system and provide roles for sponsorship, enrollment, adjudication, and
activation for issuance of LincPasses.
(4)
Ensure agency applicants’ travel to enrollment stations for both
enrollment and activation of their LincPasses.
(5)
Ensure compatibility of agency physical and logical control systems
with USDA enterprise physical and logical control systems; comply with
USDA physical and logical control policies and procedures.
5
�DR 4620-002
January 14, 2009
(6)
In consultation with OPPM, provide HSPD-12 procurement and
contracting guidance to contracting organization, to ensure compliance
with HSPD-12, FIPS 201-1, and OMB guidance.
(7)
Maintain records that will permit the audit of agency PIV programs in
accordance with HSPD-12, FIPS 201-1, relevant OMB guidance and any
OIG requirements.
- END -
6
�January 14, 2009
DR 4620-002
Appendix A
APPENDIX A
DEFINITIONS
a.
Access control. The process of granting or denying requests to access physical
facilities or areas, or to logical systems (e.g., computer networks or software
applications). See also “logical access control system” and “physical access control
system.”
b.
Accompanied access. A person that is accessing the facility and/or information
system under escort and/or continuous monitoring by a USDA official (PIV ID
credential holder).
c.
Contractor. An individual under contract to USDA (for the purpose of HSPD-12
implementation).
d.
Credential. An identity card (“smart card”) also known as LincPass issued to an
individual that contains stored identity credentials so that the claimed identity of the
cardholder can be verified against the stored credentials by another person or by an
automated process.
e.
Employee. Defined in title 5 U.S.C §2105 “Employee,” within a department or
agency. Further defined by Executive Order (EO) 12968, “Employee” means a
person, other than the President and Vice President, employed by, detailed or
assigned to, USDA, including members of the Armed Forces; an expert or
consultant to USDA; an industrial or commercial contractor, licensee, certificate
holder, or grantee of USDA, including all subcontractors; a personal services
contractor; or any other category of person who acts on behalf of an agency as
determined by the agency head
e.
Federal Facility or Information System Access. Authorization granted to an
individual to physically enter federally controlled facilities, and/or electronically
(logically) access federally controlled information systems for approved purposes.
f.
Identity-proofing. The process of providing sufficient information (e.g., driver’s
license, proof of current address) to a registration authority, or the process of
verifying an individual’s information that he or she is that individual and no other.
g.
LincPass. USDA has named their common ID card the LincPass, as it is designed
to link a person’s identity to an identification card and the card to a person’s ability
to access Federal buildings and computer systems. The spelling of LincPass is a
tribute to President Abraham Lincoln, who created the People’s Department (now
USDA) in 1862.
h.
Logical Access Control System (LACS). Protection mechanisms that limit a user’s
access to information and restrict their forms of access on the system to only what is
A-1
�DR 4620-002
Appendix A
January 14, 2009
appropriate for them. These systems may be built in to an operating system,
application, or an added system.
i.
Mission Critical Facility (MCF). A building or group of buildings in one
geographical area, so vital to the United States and/or USDA that the incapacity or
destruction would have a debilitating impact on security, national economic
security, national public health or safety, USDA mission accomplishment during
exigent circumstances, or any combination thereof.
j.
National Agency Check with Inquiries (NACI). The basic and minimum
investigation required of all new Federal employees and contractors consisting of
searches of the OPM Security/Suitability Investigations Index (SII), the Defense
Clearance and Investigations Index (DCII), the FBI Identification Division’s name
and fingerprint files, and other files or indices when necessary. A NACI also
includes written inquiries and searches of records covering specific areas of an
individual’s background during the past five years (inquiries sent to current and past
employers, schools attended, references, and local law enforcement authorities).
k.
National Capital Region (NCR). Pursuant to the National Capital Planning Act of
1952 (Title 40, U.S.C., Sec. 71) the Act defined the NCR as the District of
Columbia; Montgomery and Prince George’s Counties of Maryland; Arlington,
Fairfax, Loudon, and Prince William Counties of Virginia; and all cities now or
here after existing in Maryland or Virginia within the geographic area bounded by
the outer boundaries of the combined area of said counties.
l.
Physical Access Control System (PACS). Protection mechanisms that limit users'
access to physical facilities or areas to only what is appropriate for them. These
systems typically involve a combination of hardware and software (e.g., a card
reader), and may involve human control (e.g., a security guard).
m.
PIV-II Compliant Credential. An identity card (“smart card”) also known as
LincPass issued to an individual that contains stored identity credentials so that the
claimed identity of the cardholder can be verified against the stored credentials by
another person or by an automated process.
n.
Routine access. A person that is accessing the facility and/or information system
without an escort and/or continuous monitoring by a USDA official. The agency’s
determination should be based upon the support to successfully complete USDA’s
mission critical functions/missions. This type of access requires a mandatory PIV
ID credential to be issued.
A-2
�January 14, 2009
DR 4620-002
Appendix B
APPENDIX B
ABBREVIATIONS
DM
ePACS
FISMA
FIPS
FSA
GSA
GSA MSO
HSPD-12
LACS
LincPass
MCF
NACI
NCR
NIST
OCIO
OIG
OMB
OPM
OPPM
OSS
PACS
PIV
PIV-I
PIV-II
USDA
Departmental Manual
Enterprise Physical Access Control System
Federal Information Security Management Act
Federal Information Processing Standard
Farm Services Agency
General Services Administration
General Services Administration Managed Services Office
Homeland Security Presidential Directive 12
Logical Access Control System
PIV-II Compliant Badge for USDA
Mission Critical Facility
National Agency Check with Inquiries
National Capital Region
National Institutes of Standards and Technology
Office of Chief Information Officer
Office of the Inspector General
Office of Management and Budget
Office of Personnel Management
Office of Procurement and Property Management
Office of Security Services
Physical Access Control System
Personal Identity Verification
Personal Identity Verification, Part I
Personal Identity Verification, Part II
United States Department of Agriculture
B-1
�January 14, 2009
DR 4620-002
Appendix C
APPENDIX C
HSPD-12 SOURCE DOCUMENTS
a.
Homeland Security Presidential Directive (HSPD) 12, Policy for a Common
Identification Standard for Federal Employees and Contractors, August 27, 2004
b.
Computer Security Act of 1987 (Public Law 100-235).
c.
U.S. Department of Commerce, National Institute of Standards and Technology
(NIST), Federal Information Processing Standard Publication (FIPS) 201-1,
Personal Identity Verification, March 2006
d.
Office of Management and Budget (OMB) Memorandum, Implementation of
Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common
Identification Standard for Federal Employees and Contractors M-05-24, August
5, 2005
e.
OMB Memorandum, Acquisition of Products and Services for Implementation of
HSPD-12, M-06-18, June 30, 2006
f.
OMB Validating and Monitoring Agency Issuance of Personal Identity
Verification Credentials, M-07-06, January 11, 2007
g.
Privacy Act, 1974 (5USC 552a) and Electronic Privacy Act, 1986 (USC 2701)
h.
U.S. Department of Commerce, National Institute of Standards and Technology,
Special Publications (SP):
(1)
(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
i.
800-37, Guide for the Security Certification and Accreditation of Federal
Information Systems, May 2004
800-53, Recommended Security Controls for Federal Information
Systems, September 2004 (2PD).
800-63, Electronic Authentication Guideline, Appendix A, June 2004.
800-73-1, Interfaces with Personal Identity Verification, April 2006.
800-76-1, Biometric Data Specification for Personal Identity Verification,
January 2007.
800-78-1, Cryptographic Algorithms and Key Sizes for Personal Identity
Verification, July 2006.
800-85A, PIV Card Application and Middleware Interface Test
Guidelines, April 2006.
800-87, Codes for the Identification of Federal and Federally-Assisted
Organizations, December 2006.
800-104, A Scheme for PIV Visual Card Topology, January 2007.
Department Manual (DM 4620-002) Common Identification Standard for U.S.
Department of Agriculture Employees and Contractors
C-1
�DR 4620-002
Appendix C
January 14, 2009
j.
Form I-9 (Rev. 10/4/00) – Department of Justice (OMB No. 1115-0136)
k.
Personnel Investigations, Title 5, Code of Federal Regulations, 736.101 (b)
l.
Executive Order (EO) 12968, August 1995
C-2
�
| File Type | application/pdf |
| Author | rsternberg |
| File Modified | 2009-02-27 |
| File Created | 2009-02-27 |